Re: fail2ban problem

To: debian-user@lists.debian.org
Subject: Re: fail2ban problem
From: Chris Davies <chris-usenet@roaima.co.uk>
Date: Sun, 06 Jan 2013 10:23:28 +0000
Message-id: <[🔎] 0uvnr9xkgc.ln2@news.roaima.co.uk>
References: <[🔎] 50E8CD08.3000005@attglobal.net>

Jerry Stuckle <jstuckle@attglobal.net> wrote:
> I decided to try a fail2ban rule, but I can't get it to work.
> failregex = <HOST> .*"GET|POST|HEAD /.*phpMy.*  HTTPS?/.*" 404 [0-9]{1,6}

> This should match something like:
> 10.0.0.1 - - [31/Dec/2012:11:40:02 -0500] "GET /phpBB2/ HTTP/1.1" 404 3308

> However, it also seems to match ones like:
> 10.0.0.1 - - [31/Dec/2012:11:41:44 -0500] "GET / HTTP/1.1" 200 5668

It's the GET|POST|HEAD part that isn't parsing as you'd expect. What
the RE is compiling down to is any one of the following:

    <HOST> .*"GET
    POST
    HEAD /.*phpMy.*  HTTPS?/.*" 404 [0-9]{1,6}

Solution is to put brackets (...) around the GET|POST|HEAD part:
    failregex = <HOST> .*"(GET|POST|HEAD) /.*phpMy.*  HTTPS?/.*" 404 [0-9]{1,6}

Oh, I'm not sure you want two spaces before the HTTPS? component.
Chris

Reply to:

Follow-Ups:
- Re: fail2ban problem
  - From: Jerry Stuckle <jstuckle@attglobal.net>

References:
- fail2ban problem
  - From: Jerry Stuckle <jstuckle@attglobal.net>

Prev by Date: Re: ivtv driver in Wheezy 3.2.0-4-amd64
Next by Date: Re: Local copy of ALL man pages
Previous by thread: fail2ban problem
Next by thread: Re: fail2ban problem
Index(es):
- Date
- Thread